Problem:
After signing with my Entrust Authenticode or Kernel Mode Code Signing Certificate Windows states that the file is not signed
Cause:
Windows Vista do not support SHA2 (SHA256) Code Signing certificates at this time.
Windows 7 and Server 2008 require an update, please see Microsoft security advisory - https://support.microsoft.com/en-us/kb/3033929
Workaround:
Windows 8 and up supports SHA2 Authenticode Certificates, you can use the Microsoft Signing Tool to sign with both SHA1 and SHA2 certificates. You will be required to issue two Authenticode Code Signing Certificates for both SHA1 and 2, for more information please follow the instruction suggested by Microsoft - Signing a driver package with two signatures".
Signing a driver package with two signatures
In some cases, you might want to sign a driver package with two different signatures. For example, suppose you want your driver to run on Windows 7 and Windows 8. Windows 8 supports signatures created with the SHA256 hashing algorithm, but Windows 7 does not. For Windows 7, you need a signature created with the SHA1 hashing algorithm.
Suppose you want to build and sign a driver package that will run on Windows 7 and Windows 8 on x64 hardware platforms. You can sign your driver package with a primary signature that uses SHA1. Then you can append a secondary signature that uses SHA256. You can use the same certificate for both signatures, or you can use separate certificates. Here are the steps to create the two signatures using Visual Studio.
- In the Solution Explorer window, right-click Solution SolutionName , and choose Configuration Manager . For the driver project and the package project, set Configuration to Win7 Release , and set Platform to x64 .
- Open the property pages for the driver package. Navigate to Configuration Properties > Driver Signing > General . In the Sign Mode drop-down list, select Production Sign . For Production Certificate , enter the path to your signing certificate.
-
In the property pages for the driver package, navigate to
Configuration Properties > Custom Build Step > General
. For
Description
, select
Performing Custom Build Step
. For
Execute After
, select
DriverProductionSign
. For
Command Line
, enter this command.
Signtool sign /fd sha256 /ph /as /sha1 XX...XX $(TargetPath)
where XX...XX is the hash of the certificate you are using for the the secondary signature.
Note To see the hash (also called the thumb print) of a certificate, open a Command Prompt window and navigate to the directory that contains your certificate. Enter the command certutil -dump CertName.pfx , where CertName.pfx is the name of your certificate.
If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance:
Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET
North America (toll free): 1-866-267-9297
Outside North America: 1-613-270-2680 (or see the list below)
NOTE: Smart Phone users may use the 1-800 numbers shown in the table below.
Otherwise, it is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.
Country | Number |
Australia |
0011 - 800-3687-7863
1-800-767-513 |
Austria | 00 - 800-3687-7863 |
Belgium | 00 - 800-3687-7863 |
Denmark | 00 - 800-3687-7863 |
Finland |
990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet) |
France | 00 - 800-3687-7863 |
Germany | 00 - 800-3687-7863 |
Hong Kong |
001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax) |
Ireland | 00 - 800-3687-7863 |
Israel | 014 - 800-3687-7863 |
Italy | 00 - 800-3687-7863 |
Japan |
001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ) 0061 - 800-3687-7863 (IDC) |
Korea |
001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom) |
Malaysia | 00 - 800-3687-7863 |
Netherlands | 00 - 800-3687-7863 |
New Zealand |
00 - 800-3687-7863
0800-4413101 |
Norway | 00 - 800-3687-7863 |
Singapore | 001 - 800-3687-7863 |
Spain | 00 - 800-3687-7863 |
Sweden |
00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2) |
Switzerland | 00 - 800-3687-7863 |
Taiwan | 00 - 800-3687-7863 |
United Kingdom |
00 - 800-3687-7863
0800 121 6078 +44 (0) 118 953 3088 |